SSL handshake hang
Asked Answered
S

0

4

I have seen this question around the forums but couldn't find any appropriate fix. Also all those questions are missing some info, so thought to put all what i have learned here. connecting the dots.

I am working with SSL/TLS in openfire with 2 way authentication. Got a self signed wildcard certificate. which means i have my CA in both client and server. Now this works but sometimes, SSL handshake stucks at some particular line. Logs from server side:

org.apache.mina.filter.ssl.SslFilter  - Session Server[40](ssl...): Processing the SSL Data

On client side, I am using SMACK so building the configuration i gave around 2 min reply timeout just to check the behaviour; I also set hostNameVerifier.

So when ever it hangs, following logs i can see:

05-07 17:35:45.705 D/SMACK: SENT (1): <stream:stream xmlns='jabber:client' to='mydomain.com' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' xml:lang='en'>
05-07 17:35:45.712 D/SMACK: RECV (1): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="mydomain.com" id="9haislljp2" xml:lang="en" version="1.0">
05-07 17:35:45.721 D/SMACK: RECV (1): <stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>EXTERNAL</mechanism></mechanisms></stream:features>
05-07 17:35:45.723 D/SMACK: SENT (1): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'></starttls>
05-07 17:35:45.730 D/SMACK: RECV (1): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>

And here it hangs for undefined time, sometimes its around 20 seconds, sometimes a minute or more.

But right after that the very first log i see is:

05-07 17:36:15.151 : HostNameVerifier callback verify: hostname:mydomain.com SessionID:[B@3cedf14
                                             CipherSuite:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
                                             Protocol:TLSv1.2
05-07 17:36:15.153 D/SMACK: SENT (1): <stream:stream xmlns='jabber:client' to='mydomain' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' xml:lang='en'>
05-07 17:36:15.161 D/SMACK: RECV (1): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="mydomain.com" id="9haislljp2" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>EXTERNAL</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><register xmlns="http://jabber.org/features/iq-register"/></stream:features>

and XMPP is connected.

So I looked into this hostname verifier functionality from jdk and other source, I am not sure but quite came to idea that it was doing some dns lookup. I also put my domain with ip in etc/hosts. so that should avoid dns lookups but still. Anyhow, would appreciate if anyone can point to something concrete.

Links I followed:

Apache MINA - stuck on SSL connection

How to disable Java's SSL Reverse DNS Lookup

Android 4.2 slow SSL/TLS

If anyone needs anymore info, will be more than happy to share.

Openfire Version: 4.1.3

Smack Version: 4.2.0

Ubuntu running openfire: 16.04

JDK installed: openjdk 7,8 (tried with both)

Shot answered 9/5, 2017 at 7:23 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.